1. Field
This disclosure relates to protection of computer data and programs, generally referred to as computer system and network security. The invention is useful for preventing data damage and theft, which can be done by malicious code attacks.
2. Related Art
The term virtualization has been used in the computing industry to mean different things. According to one use, the term means a software system that “mimics” or “virtualizes” a computer's hardware. Such a system was first popularized by VMware®, of Palo Alto, Calif., to enable one hardware computer to run multiple “guest” operating systems (OS) concurrently. Another use refers to virtualization of memory, sometimes referred to as storage virtualization. Storage virtualization is the process of completely abstracting logical storage from physical storage, such that storage addressing can be decoupled from the actual hardware available for storage. Yet another usage refers to a system such as Thinstall®, which enables easy portability and deployment of applications. A computer program is “packaged” or “encapsulated” such that it can be sent to a computer and can be executed without having to “install the program” in the traditional sense. The virtualized application is fooled at runtime into believing that it is directly interfacing with the original operating system and all of the resources managed by it, when in reality it is not. In this context, the term “virtualization” refers to the artifact being encapsulated (i.e., application), which is quite different to its meaning in hardware virtualization, where it refers to the artifact that is being abstracted (i.e., the physical hardware).
The current inventor has previously proposed another use for virtualization, which is for protection of computers against malicious or hostile code. We call “malicious” or “hostile” any code designed or modified to intentionally corrupt or steal data or programs from the computer system or network on which it runs. Protecting from hostile code is a challenging problem, since there is no way to programmatically distinguish positive and negative program actions, other than knowing whether they are ultimately good for the user or not. For example, a program may delete a file because the user has explicitly asked it to, but a malicious program could also delete a file against the user's will. In other words, there is no proper technical definition of “malicious” or “hostile” code—these being defined according to the behavior expected from a computer by its legitimate user.
Although it is possible to authenticate authorized users with password, trusted users themselves may endanger the system and network's security by unknowingly running programs that contain malicious instructions such as “viruses,” “Trojan horses,” “malicious macros,” “malicious scripts,” “worms,” “spying programs” and “backdoors.” A computer virus is a program that replicates by attaching itself to other programs. A Trojan horse is a program that, in a general way, does not do what the user expects it to do, but instead performs malicious actions such as data destruction and system corruption. Macros and scripts are programs written in high-level languages, which can be interpreted and executed by applications such as word processors, in order to automate frequent tasks. Because many macro and script languages require very little or no user interaction, malicious macros and scripts are often used to introduce viruses or Trojan horses into the system without user's approval. A worm is a program that, like a virus, spreads itself. But unlike viruses, worms do not infect other host programs and instead send themselves to other users via networking means such as electronic mail. Spying programs are a subtype of Trojan horses, secretly installed on a victim computer in order to send out confidential data and passwords from that computer to the person who put them in. A backdoor is a secret functionality added to a program in order to allow its authors to crack or misuse it, or in a general way exploit the functionality for their own interest.
All of the above programs can compromise computer systems and a company's confidentiality by corrupting data, propagating from one file to another, or sending confidential data to unauthorized persons, in spite of the user's will. In spite of much effort by the industry to protect computers against such malicious codes, various vulnerabilities of the computers or users are exploited daily to introduce malicious codes into computers. Existing systems are programmed to identify a malicious code and either prevent that code from infecting the computer or remove it from the computer which has already been infected. However, in many cases the software either fails to identify a code as being malicious since information about the new code has yet to propagate through the system, or much damage has already been done by the time that the malicious code has been identified and removed. Therefore, the current inventor has previously proposed using certain implementation of virtualization in order to prevent the code from affecting the computer, before it has even been determined whether the code is malicious or not. Such a system is now marketed by the assignee under the trademark BufferZone™. More information about such a system can be found in U.S. Pat. No. 7,613,930.
The BufferZone system enables one to freely surf the web and download any program without having to worry about malicious code, since the Buffer Zone “virtualizes” the “surfing environment.” This system is very effective since even if a malicious code was downloaded into the computer, it can only operate in the virtualized surfing environment and therefore cannot harm the computer or any files that are outside the virtualized environment. The subject invention provides further tools to improve this security system.